Categories

ID #1139

How can I login to cmgui with a one-time password?

How can I authenticate to cmgui with a one-time password?

 

Introduction:

 

One time password (OTP) authentication overcomes replay attacks. It allows an administrator to login to a cluster without having to worry about the password being captured by an evildoer. This is because the password is, after all, one-time only by design.


OTP authentication can be implemented in BCM with PAM as follows:

1. Download the otpw OTP implementation:

wget -c http://www.cl.cam.ac.uk/~mgk25/download/otpw-1.3.tar.gz

 

 2. unpack the sources

tar -xzvf otpw-1.3.tar.gz

 

 3. compile otpw:

* cd otpw

* edit Makefile and add the "-fPIC" flag to the "CFLAGS" variable to be able to compile the shared library pam_otpw.so which provides authentication and session components. The authentication component asks for and verifies a one-time password, while the session component prints a reminder of how many unused passwords you have left after each successful login
* make

 

4. Enable one-time-password Authentication in the pam configuration:

* copy pam_otpw.so under /lib64/security/

* add the following pam lines to /etc/pam.d/cmd:

#%PAM-1.0

auth    required        pam_otpw.so

* Generate a list of one-time-passwords using “otpw-gen” and choose a suitable prefix password which you will prepend to the one-time-password:

/path/to/compiled/otpw/otpw-gen

Generating random seed ...

If your paper password list is stolen, the thief should not gain

access to your account with this information alone. Therefore, you

need to memorize and enter below a prefix password. You will have to

enter that each time directly before entering the one-time password

(on the same line).

When you log in, a 3-digit password number will be displayed.  It

identifies the one-time password on your list that you have to append

to the prefix password. If another login to your account is in progress

at the same time, several password numbers may be shown and all

corresponding passwords have to be appended after the prefix

password. Best generate a new password list when you have used up half

of the old one.

Enter new prefix password:

Reenter prefix password:

Creating '~/.otpw'.

Generating new one-time passwords ...

OTPW list generated 2013-07-12 18:11 on adel61-centos6-sge

000 C82b S5Jg  056 fSf% xZuR  112 =46u ipfJ  168 sAos cuTL  224 9DFp Tp29

[...]

042 gJ3q ez/d  098 3YHS Zehe  154 Bk=V QRwq  210 U8xe Q=Z:  266 Jja/ 7M=Z

[...]

055 hS=U HFhc  111 2+KO TU3N  167 MOrm tLv%  223 EohG Ms3a  279 k/NQ 4ezI

           !!! REMEMBER: Enter the PREFIX PASSWORD first !!!

Notes:

* Save the generated list for future reference.

* a file named “.otpw” will be stored under the home directory of the user who issued the otpw-gen command.

* You can copy this file to the home directory of any user to be able to use one-time-password.

* If you copy it to another user's home directory, then remember to change the ownership of the file. Note that the prefix password will be the same.

 

5. Verify login

* When you attempt to login to cmgui you’ll be asked for a password from the generated list:

 

Note:

* Remember to prepend the prefix password to the password beside column 268 in the generated list and use the resulting string to login to cmgui.

Categories for this entry

Tags: -

Related entries:

You cannot comment on this entry